© redtimmy 2011

Klassen, V. (2011) Privacy and Cloud-­Based  Educational Technology in British Columbia Vancouver BC: BCCampus

This discussion paper is probably the most important paper I have read this year regarding the future of e-learning in Canada. It is essential reading not just for institutional CIOs, but also for any instructor wanting to use Google Docs, Facebook, or any other social media where the data is stored ‘in the cloud.’

Basically it examines the tension between British Columbia’s privacy law and the use of social media, particularly those hosted on U.S. servers (which is the majority at the moment), but also would apply to data stored on other foreign servers (e.g. in India) that have less stringent privacy laws than British Columbia. It is deliberately meant as a discussion document to bring better alignment between the Office of the Privacy Commissioner and practice in British Columbia’s post secondary educational institutions. It is based on discussions with BC institutions about what and how instructors are doing with social media and its relationship to the law.

I can do no better than quote from the document to give you some idea of the issues addressed:

Besides streaming video, instructors and students are using other social media such as blogs, Facebook pages, instant messaging, Twitter, Google Docs, and other third party, U.S.-based social media services to collaborate in a learning environment. These services offer many advantages: they are inexpensive, robust, feature-rich, intuitive to the user, easy to access and easy to share with peers. They also offer many disadvantages: chief of which is the risk to privacy and security of user’s personal information posed by these services.

Social media services are commercial ventures. They earn revenue from advertisers or partners who use the data voluntarily submitted by users to target their marketing efforts. In other words: the commercial product bought and sold isn’t the social media application itself, rather it is the users themselves and the rich, detailed information they willingly provide online about their consumer habits.

Social media companies are almost exclusively based in the United States, where the provisions of the Patriot Act apply no matter where the information originates. The Patriot Act allows the U.S. government to access the social media content and the personally identifying information without the end users’ knowledge or consent.
The government of British Columbia, concerned with both the privacy and security of personal information, enacted a stringent piece of legislation to protect the personal information of British Columbians. The Freedom of Information and Protection of Privacy Act (FIPPA) mandates that no personally identifying information of British Columbians can be collected without their knowledge and consent, and that such information not be used for anything other than the purpose for which it was originally collected.

The paper found that institutional policies regarding this issue not surprisingly are all over the map. In particular, it is clear that individual instructors in British Columbia are risking falling foul of the law, mainly through ignorance, but in some cases willfully. BCCampus and the institutions are to be praised for trying to clarify the issue with BC’s Privacy Commissioner, who appears willing to work with the institutions on this matter. In the meantime, here are my personal comments on the issue.


1. Thank God we have a strong privacy law in British Columbia. We need protection from government intrusion into our privacy. I want to be free to talk about the reasons that drive terrorists to murder people without being put on a no-fly list without appeal. Secondly I don’t want my personal information or that of my students sold to third parties merely because in an online course we discuss the value of different products for teaching online, or because we access collectively a range of commercial web-based sites for the purpose of study.

2. However, trying to stop instructors and students from using social media because the data are hosted outside Canada is futile. If we are to secure our privacy, we will need to find ways of making consensual choices and knowing the risks we take when we do this.

3. The Patriot Act is probably the worst legislation ever passed by the US government. An act of panic in a moment of threat. It is immensely damaging to the USA’s trade, as well as removing essential democratic protections from its citizens. That’s the business of the USA, but it also affects the rest of the world, as anyone who tries to cross the border or do business in the USA immmediately discovers. It is certainly a constraint on the use of web 2.0 tools in education.

4. But where is Canadian business on this issue? Where are the Canadian sites or services offering social media? My web site is hosted in Canada, but it is much easier to find companies in the USA or overseas offering social media services, and they are usually cheaper due to the laws of supply and demand. All the talk by the Canadian Federal government about the digital economy is pretty meaningless if no-one is hosting server farms and social media in Canada.

5. This is an interesting example of the tensions in globalization. The USA has created and made available social media to the world, but at the same time wants the world to follow its laws and customs (Google Books is another example of an American company trying to over-ride the rights of authors in other countries). Perhaps the answer to the issue of privacy and social media lies in international rather than national law, but that will take so long we will have moved on to something else – and anyway, the USA ignores international law when it suits its purpose.

These are just personal ramblings, but I do strongly recommend that you read this paper. It sets out the issues clearly, although it offers no immediate solutions.

See also: Clint Lalonde (2011) Privacy and cloud based apps – a background paper from BCcampus ClintLalonde.net, March 25

Thanks to both David Porter and Stephen Downes for directing me to this.


  1. Thank you for sharing this article and your views on privacy. I acknowledge, with many if not most of us, that the people privacy has been pressured by technological progress for some decades, that the laws hardly kept up, and that cloud computing is increasing this tension by an order of magnitude. This topic is also one of the most important and timely in my view. CIOs and the educational community, as well as government, will have to make decisions very shortly, in part because of the economic context and the low barriers of access to these technologies.

    About this article, I would point out that it would be best presented as “the perception” of administrators (vs. students or the public at large) of BC (vs. Canada) universities and colleges. The author seems to recognize that students are not as concerned for their privacy, may be because of demographic differences (Gen Y have different expectations), lack of education on the matter (something that might be addressed earlier in K-12), or just by opportunism or laziness because social media and web2.0 tools make it plain “easy”.

    Since the informants are the older crowd (older enough to get to these university and college administrator jobs), they are naturally perceiving things differently, according to their own worldvision, radically different from the students’. Furthermore, they have an incentive to be overly cautious since their job is in the line (plus they can be sued), and they are not driving any benefits for themselves from these technologies (the end-users are the students). It is not surprising that big words such as “US Patriot Act” and “FIPPA” be used, but is it an objective view on the topic?

    FIPPA is a provincial statute dealing with access to information (i.e. particular to BC in this case). The author mentions the federal statute PIPEDA only once (p. 13) within an example, though in July 14, 2005, the Office of the Privacy Commissioner of Canada advised that PIPEDA would apply to non-core commercial activities including the selling or bartering of alumni lists. PIPEDA deals with commercial activities, we’ll come back to this. The US Patriot Act has some equivalent in Canada in the form of the CSIS Act. According to David Fraser, Partner at McInnes Cooper, not only Canada can access the people’s personal information under this Act, but it can also share it with the U.S., with no obligation to report it to the people (which means that we don’t know if that happens once in a while, a lot, or quite rarely). Bottom line, it makes no practical difference under which jurisdiction the data is hosted.

    On the technical side of things, no college or university (or even possibly an entire province) could compete with these globally distributed computing clusters that companies like Google and Amazon (to name a few) have been building for more than 10 years. Their reliability is amazingly high (their own business rely on it, whether internet searches/ads or books sales), and they leverage hard to beat economies of scale. They also offer some level of security. For example, data is “shredded” on Google servers so that a hacker breaking into one location would not find any useful information.

    Last but not least, this paper talks mainly about these free web2.0 tools, as free-with-ads, when free commercial versions also exist without ads. Those used to read about Free/Libre Open Source Software won’t be surprised that a commercial product can be free (this is another topic). Google and Microsoft, for example, offer their on-line office suite (Google Apps and Microsoft 360), and their email suite (GMail and on-line Exchange) for $0 to universities and colleges. These companies have entered into an agreement with a number of universities already, including in Canada.

    Ryerson University (Toronto, Ontario) has reached this point where they have to decide whether to invest in a multi-million dollars system that nobody uses (most users forward their mail to GMail and other services), or to switch to a service costing $0 with a much better level of service (reliable, always-on, additional features like calendaring, office tools, etc). At their symposium, last month, the Ontario IPC, Dr. Ann Cavoukian, was very supportive of these cloud computing solutions, recommending quite pragmatically that privacy be built-in. The slides and video streaming (probably hosted in Canada) are available at http://email.blog.ryerson.ca/2011/02/27/symposium-presentations-and-other-resources/ . There were quite a number of attendees coming from universities and colleges located in other provinces.

    • Hi, Marc. many thanks for this terrific comment.

      I really appreciate the information about PIPEDA and the Ontario initiative.

      I think the tension between social media and privacy and security is finely balanced. I recognize the convenience and effectiveness of social media, and their potential for education. It is also important not to get paranoid about government surveillance or commercial conspiracies.

      On the other hand, for many people (including myself), social media and particularly cloud computing are a black hole into which personal information disappears. What happens to it, who has access to it, what is done with it, and more worryingly, what might be done with it in the future, all remain a mystery. As you say, this doesn’t seem to bother most young people, but that may mean that others are trading on their innocence.

      As Thomas Jefferson said, ‘The price of freedom is eternal vigilance’, or as I might put it, less eloquently, ‘I just don’t trust the bastards.’

  2. Thank you for this article Tony. The issues that you raise are identical to those faced by Australian universities. In fact a fair amount of my time is spent negotiating the minefields around privacy, security and the Patriot Act for our formal enterprise wide hosted applications. I find that vendors tend to vary in their responses. One company, for example, has agreed that it will modify its T&C to include the need to meet Victorian privacy legislation which governs my university. It has also agreed to host data in data centres outside of the US.

    Another vendor (incidentally a Canadian company before it was purchased by an LMS vendor last year) refused point blank to modify its T&C forcing us to modify policy and procedure at the point of use. A process that is unlikely to work in reality as teaching staff don’t really care about things like that.

    When looking at informal use of hosted applications (i.e. initiated entirely by the individual academic) there is little understanding of the implications of their choice. This doesn’t just relate to privacy and security but also to things like assessment policy. Imagine an academic using a free cloud based wiki service to get the students to create wikis that are then summatively assessed. How are these assessments archived to meet university archiving policy?

    Incidentally this is another reason I really like @jonmott’s loosely coupled gradebook application that he was developing at BYU.

    • Thanks, Mark, your comment is much appreciated.

      I don’t believe that institutional policies have a hope in hell in either keeping up with technology developments in this area, or in being effective in ‘managing’ either student or instructor behaviour.

      A far better strategy is information and education about the issues, which should include risk analysis. UBC has an excellent program for students, called ‘Digital Tattoo’ [http://digitaltattoo.ubc.ca/].

      We also need to provide faculty and senior administrators with workshops about the issues around privacy and security of data, but in a way that does not frighten them off from using social media. Indeed, this might even encourage ‘laggards’ to take them more seriously. The main challenge is finding enough people with real knowledge about privacy and social media that can provide a balanced approach.

  3. It’s quite important to enhance online learning (in fact, I am studying my second career at Uned University in Madrid, Spain, but it’s for sure that it must be regulated and instead of avoiding the improvement of e learning we need to develop secure methods which will keep our privacy safe.
    Thanks for your article.

  4. Hi Tony, glad you found this paper written by my colleague and appreciate the enormity of the issue, it is one I have been trying to get on the table in BC for the last 7 years now, and am glad it is finally getting some traction.

    To Marc Lijour – the reason the paper addresses FIPPA and not PIPEDA is that we are a BC agency addressing BC Post-secondary issues, and from that perspective, FIPPA is the legislation we have to deal with as provincially-funded organizations, not PIPEDA.

    In terms of the market responding, this is happening. There are increasingly Canadian-based companies offering “cloud” solutions. It is important to differentiate, though, the difference between Software-as-a-Service offerings that are hosted “in the cloud” from “cloud hosting” which is typically not that dissimilar to older co-location models, except with more elastic capacity in terms of processers and disk space (similar to what you get with Amazon’s EC2 and S3 service.) These latter can greatly assist campuses in off-loading some of the commodity computing portions of their infrastructure, and *may* offer robust platforms to develop province- or nation- or sector- wide solutions that have sufficient scale. That said, these are unlikely to ever compete, either in size or in speed of innovation, with large commercial services. Which, to me, speaks to three things:
    – getting clearer on what is core to the business of education and what is not
    – getting clear on the different kinds of accommodations, intrusions and difficulties that arise in relation to “software-as-a-service” cloud scenarios, both for students (as in the case of “Digital Tattoo”) and in terms of instructors so people can make more informed choices
    – finally, continue to pursue distributed, p2p and personally controlled technologies and strategies that allow for the emergence of size not through “massification” but through the interconnections of networks. I could say much more about this, but for me this is one of the reasons (on top other benefits) for pursuing and advocating for “PLE” and “loosely coupled” style approaches to learning environments that eventually can get the benefits of size while not forcing decisions on users that have privacy concerns about which they can do nothing about.

    Thanks again for highlighting the paper and the issue, the only way forward I can see is to bring the issues to light and share the various approaches we come up with. Cheers, Scott

  5. Hi Tony,

    Thanks for taking the time to share this piece and perspective. The issues raised are many and far-reaching (as you commented). As a resident in the U.S., reading this reminds me of the tensions that have resulted in our society since 9/11. This, obviously, includes legislation and the tension between protecting citizens and providing proper protection of their rights. The world we live in…ugh.

    When you said:

    “Thank God we have a strong privacy law in British Columbia. We need protection from government intrusion into our privacy.”

    Sadly (for me), I was hit with a dose of envy…

  6. Tony, you only have to look at the Facebook privacy issues to know that issues can lie within a geographical boundary or outside it. The only way to secure your info in any way is to host it on your own server (even this is difficult to do at times without in-house expertise & secure software). Diaspora is a great answer to the Facebook issue. You can host your own Diaspora network then invite people to join you where there is mutual trust. This I think is the only secure future information-sharing model. Universities, Companies and Individuals will need to become better at hosting their own information!


Please enter your comment!
Please enter your name here